<%
=begin
apps: keycloak
platforms: kubernetes, tanzu-application-catalog
id: manage_passwords
title: Manage passwords
category: configuration
weight: 50
highlight: 50
=end %>

This chart provides several ways to manage passwords:

* Values passed to the chart
* An existing secret with all the passwords
* Multiple existing secrets with all the passwords

### Values passed to the chart

In this scenario, a new secret including all the passwords will be created during the chart installation.

When upgrading, it is necessary to provide the secrets to the chart as shown below. Replace the KEYCLOAK_ADMIN_PASSWORD, KEYCLOAK_MANAGEMENT_PASSWORD, POSTGRESQL_PASSWORD and POSTGRESQL_PVC placeholders with the correct passwords and PVC name.

    $ helm upgrade keycloak bitnami/keycloak \
        --set auth.adminPassword=KEYCLOAK_ADMIN_PASSWORD \
        --set auth.managementPassword=KEYCLOAK_MANAGEMENT_PASSWORD \
        --set postgresql.postgresqlPassword=POSTGRESQL_PASSWORD \
        --set postgresql.persistence.existingClaim=POSTGRESQL_PVC

### An existing secret with all the passwords

> NOTE: When installing using an existing secret, passwords may be held in a single secret or separated in multiple secrets.

To use a single existing secret, use the *existingSecret* parameter, as shown below:

    existingSecret:
      name: mySecret
      keyMapping:
        admin-password: myPasswordKey
        management-password: myManagementPasswordKey
        database-password: myDatabasePasswordKey
        tls-keystore-password: myTlsKeystorePasswordKey
        tls-truststore-password: myTlsTruststorePasswordKey

The *keyMapping* parameter links the passwords in the chart with the passwords stored in the existing secret.

### Multiple existing secrets with all the passwords

Configuring multiple existing secrets can be done with the *auth.existingSecretPerPassword* parameter, as shown below:

    existingSecretPerPassword:
      keyMapping:
        adminPassword: KEYCLOAK_ADMIN_PASSWORD
        managementPassword: KEYCLOAK_MANAGEMENT_PASSWORD
        databasePassword: password
        tlsKeystorePassword: JKS_KEYSTORE_TRUSTSTORE_PASSWORD
        tlsTruststorePassword: JKS_KEYSTORE_TRUSTSTORE_PASSWORD
      adminPassword:
        name: mySecret
      managementPassword:
        name: mySecret
      databasePassword:
        name: myOtherSecret
      tlsKeystorePassword:
        name: mySecret
      tlsTruststorePassword:
        name: mySecret

In addition to the key mapping, a different secret name can be configured per password.

> NOTE: The *auth.existingSecretPerPassword* parameter will overwrite the configuration passed to the *auth.existingSecret* parameter.
